Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3f9b396622...18.exe

windows7-x64

7

3f9b396622...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    3f9b3966227a581c4fe8aaeca62f2fb3

  • SHA1

    7ee7554b56524cf5ac70d224bc84e28a834746d9

  • SHA256

    d007b17a5014990fca0bfbb32f4250538046ad6fcee98229334eec54de642d8f

  • SHA512

    30345c04dfcc03a34ff125519d5b92c2acde1af096d3fda76c96fb2b09e703f2bf9edb7c1257102424fb3b05cc079d91779452559477fd9f6f07e4722c8f703d

  • SSDEEP

    24576:fp0jZRWmsRHzvDlZ9mUP209jbTUDGHcVKf5pOWVGCMWOruYZE38V1sp9twmDlzBM:fp9HzblKUP2Ry5OWLuu7Q8vZKxr

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f9b3966227a581c4fe8aaeca62f2fb3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Program Files\Zaqer\Mopeloi\lol.exe
      "C:\Program Files\Zaqer\Mopeloi\lol.exe" NULL
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\is-R8K0G.tmp\lol.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-R8K0G.tmp\lol.tmp" /SL5="$A02B0,500374,64512,C:\Program Files\Zaqer\Mopeloi\lol.exe" NULL
        3⤵
        • Executes dropped EXE
        PID:2000
    • C:\Program Files\Zaqer\Mopeloi\szagram.exe
      "C:\Program Files\Zaqer\Mopeloi\szagram.exe" NULL
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Zaqer\Mopeloi\ferggdfgdfgdgsfg.btj
    Filesize

    600KB

    MD5

    a310b1a0949342b78f4e1a4fd3d5aeb9

    SHA1

    84e6c021c24f090a8e69eca40344a5dca2571061

    SHA256

    19e8b88416e312ebb468e227f0b7047a8462dea03c577d41c8322169be297b1b

    SHA512

    2682b0cef5f44da36cd05f3425a4df13e48d8c8a09e085ea060a6b3ffb88c7a8803b862ef71e44e927af5d2f4241d5c18fb73fdcd4bf213922280abc34a8f2ee

    Download Submit

  • C:\Program Files\Zaqer\Mopeloi\lol.exe
    Filesize

    734KB

    MD5

    750bdb5da81f06f1ee0ed7d135e18b4d

    SHA1

    06464258ebb1b2ba2b7201f2383ef96a85670ef9

    SHA256

    7c1726a58a5971785da951c692a9640beac74c3420ef6901b704911168967821

    SHA512

    948ab46ca01a0a40a11924a88d754c2ee48c8c305b780adbeb0f086fc8bbf38d36ffcdeaffa9c6fb33e29b3e416711559b8e660ef92b5fef56bcf1c3ae2137bd

    Download Submit

  • C:\Program Files\Zaqer\Mopeloi\szagram.exe
    Filesize

    604KB

    MD5

    20b6de21a009223bc39b5ad145604467

    SHA1

    d5e1de75c3e63b7db1dd6b618d53f44e1fea01b3

    SHA256

    cad25bdc4882b3208a0da6ea1fc9ea8ced9d16f49cf8d050eaa108fbc8ecf03b

    SHA512

    d85cecdd403958dbbcc6426f2341b24c31f898a704cba78ab5cd313aa16679910b18ffe45e181f5f0f4dabe3f1e789e34cd1929bfef5fe087e2d70b5721f980d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-R8K0G.tmp\lol.tmp
    Filesize

    688KB

    MD5

    6bf79ed656e55970b65062e23dfbf4ec

    SHA1

    22e26780d2f91c690bb8a887763073053089dad1

    SHA256

    6634675be98e8748ec7e6c9578f54304e2741ed5d648c74bad5930a449183cd8

    SHA512

    9c93dea2b95d35a39e5d85590c82a8daa525a5f4fa23b2d4db936b527da6293526aa948cb54752baf84293fbf1eacd15798dbe587472509c5a64ade1cf9af4a4

    Download Submit

  • memory/540-43-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2000-25-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2000-40-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3616-12-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3616-17-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3616-39-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download